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Integrity Check Value for WLAN Pseudonym 

BACKGROUND OF THE INVENTION 

5 1. Field of the invention 

The invention relates to a method and a system for 
generating a subscriber identifier, and in particular for 
generating a temporal identifier such as a pseudonym. 

10 

2. Background of the invention 

As described above, the invention relates to generating a 
subscriber identifier and in particular to generating a 

15 temporary identifier such as a pseudonym, in a network. 
Pseudonyms are used to provide a user with privacy. That 
is,, when accessing a network service, the user might not 
always wish to expose his true identity. Pseudonyms of fer 
this possibility. However, in case an arbitrary pseudonym 

20 is used, it is impossible to judge whether a user using a 
pseudonym, is entitled to use, ..for example, a particular 
service or not. For this reason, a pseudonym is generated 
by an authentication server, which performs an 
authentication and, therefore, can validate a used 

25 pseudonym. 

As an access method, WLAN (Wireless Local Area Network) 
can be used as an alternative access method to 3GPP 
networks. WLAN access shall provide as good network 
30 access security as GSM or UMTS access methods. 3GPP 

network access provides the following security services: 

- User identity confidentiality (including user location 
confidentiality arid user untraceability) . This is. 
35 achieved using a temporary identity, as described 
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above. To avoid traceability, temporary identities are 
not used for long periods. 

- User authentication 

- Network authentication 
5 - Confidentiality of data 

- Integrity of data 

WLAN network access security is based on the Extensible 
Authentication Protocol (EAP) , EAP-SIM (EAP-Subscriber 
10 Identity Module) and EAP-AKA (EAP-Authentication and Key 
Agreement) as specified in RFC 2284: "PPP Extensible 
Authentication Protocol (EAP)" by L. Blunk and J. 
Vollbrecht, March 1998 

(http://www.ietf.org/rfc/rfc2284.txt), "EAP SIM 
15 Authentication" by H. Haverinen and J* Salowey, January 
2003 (draf t-haverinen-pppext-eapsim, •' 

http: //www. ietf . org/ internet-draf ts /draft-haver inen- 
pppext-eap~sim-09.txt), and "EAP AKA Authentication" by 
J. Arkko and H. Haverinen, January 2003 (draf t-arkko- 
20 pppext-eapaka, http: //www. ietf.org/internet~drafts/draft- 
arkko-pppext-eap-aka-08.txt). 

Both EAP-SIM and EAP-AKA authentication methods provide 
the confidentiality of user identity based on the use of 
25 pseudonyms. 

In particular, during an authentication procedure, an 
authenticating node (Authenticator node) which may be an 
AAA (Authentication, Authorization and Accounting) server 

30 optionally provides a temporary identity, i.e., a 

pseudonym to the WLAN client (e.g\, the subscriber). The 
WLAN client can present it as a user identity for 
subsequent authentication attempts. The EAP-SIM/AKA 
specifications do not define a method for the generation 

35 of pseudonyms, and leave that issue as an implementation 
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decision. Nevertheless, in order to make it possible in 
3GPP networks that pseudonyms provided by one AAA server 
can be recognized by another AAA server (potentially from 
another vendor), some standardization is necessary. 

5 

According to an approach described in "WLAN - Pseudonym 
Generation for EAP-SIM/AKA" 

(ftp: //ftp. 3gpp.org/tsg_sa/WG3_Security/TSGS3_26_Oxf ord/D 
ocs/PDF/S3-020654 .pdf ) , presented on the 3GPP TSG SA WG3 
10 Security meeting, November 19-22, 2002, Oxford, UK, the 
following format for a pseudonym is proposed: 

Pseudonym = Base64 (TAG||Key indicator)) 

AES (padding||BCD(IMSI) [(random number) ) 

15 Where: 

Base64() = base 64 conversion, 
|| = concatenation, 

TAG is used to indicate that WLAN identity is ., 
pseudonym, 

20*:. Key indicator Indicates used keys, 

.AES = AES encryption algorithm in ; ECB mode, , . 

- Padding = the most significant bits will be padded by 

setting all the bits to 1, so that length of 

(padding||BCD(IMSI) ) is 64 bits, 
25 BCD() = binary coded decimal conversion, and 

Random number = 64-bit (8 octets) random number. 

As a basis for generating the pseudonym, an encrypted 
IMSI (International Mobile Subscriber Identity) is used. 
30 In this way, it is assured that there is a connection 
between the subscriber and the pseudonym, but by using 
the encryption, the true identity cannot easily be 
discovered by unauthorized other subscribers or the like. 
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The IMSI is not longer than 15 digits and consists of 
three parts: MCC (Mobile Country Code) for identifying 
the country of the subscriber, usually 3 digits, MNC 
(Mobile Network Code) for identifying the particular home 
5 network, usually 2 to 3 digits, and MSIN (Mobile 

Subscriber Identifying Number) , which should be no more 
that 10 digits. MCC and MNC uniquely identify the 
operator. 

10 For the encryption, first a BCD (Binary Coded Decimal) 
conversion is carried out on the IMSI. In this way, a 
compressed IMSI is generated by using 4 bits to represent 
each digit of the IMSI. That is, the compressed IMSI is: 

15 Compressed IMSI = BCD (IMSI) 

The length of the IMSI is not more than 15 digits 
(numerical characters, 0 to 9). The length of the 
- compressed IMSI should be 64 bits (8 octets). Since the 

20 length of the IMSI is maximum 15 x 4 bits = 60 bits, the- 
most significant bits (here, .the 4 leading bits) will be 
padded by setting all the bits to 1. It is noted that by 
the BCD conversion, none of the converted digits of the 
IMSI can be 1 since each digit is represented by 4 bits. 

25 Therefore, the padding (setting the most significant bits 
to 1) can be easily detected and removed, such that the 
compressed IMSI can be determined. 

Then, a padded IMSI is created by concatenating an 8- 
30 octet random number to the compressed IMSI. This random 
number ensures a predetermined length, i.e., block size, 
and in addition it contributes to the requirement that 
the IMSI should not be easily decrypted. Thus, the padded 
IMSI is: 



35 



Padded IMSI = 
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padding)|BCD (IMSI) ||random number 



The thus generated padded IMSI is encrypted by the IMSI 
with Advanced Encryption Standard (AES) in Electronic 
5 Codebook (ECB) mode of operation by using a ciphering 

key, for example a 128-bit secret key. The encrypted IMSI 
has the following format: 

Encrypted IMSI = AES (padding||BCD ( IMSI ) ||random number) 

10 

After generating the encrypted IMSI, some more fields are 
provided. A key indicator is used in order that the AAA 
server that receives the pseudonym can locate the 
appropriate key to decrypt the encrypted IMSI. Moreover, 
15 a pseudonym tag is used to mark the identity as a 
pseudonym. 

All these fields are concatenated to each other, in the 
form 

20 

T^gJlK^y, .J]pdipatpr||EncrYpted IMSI. . v . . • \ 

This concatenation is converted to a printable string by 
using a BASE64 method. 

25 

Validity of a pseudonym is verified by decrypting the 
result of the AES function (i.e., decrypting the 
encrypted IMSI) and checking that padding, MCC and MCN 
are correct . 

30 

In this way, some reliability on the security is 
achieved. 



35 



However, as described above, the validation of a 
pseudonym requires a full decryption of the pseudonym. 
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This involves large processing, and this can be exploited 
by so-called DoS (Denial of Service) attacks, for 
example . 

5 When performing DoS attacks, an attacker tries to 

generate an overload of a particular server such that 
this server can not longer provide a sufficient function. 
When doing so, the attacker can send multiple EAP- 
Response/Identity message with bogus pseudonyms. The AAA 
10 server decrypts every pseudonym using the AES algorithm, 
checks padding and part of the IMSI (MCC and MCN) and 
rejects bogus pseudonyms. 

Thus, the processing required for each bogus pseudonym is 
15 considerable such that an overload is generated. 

Moreover, an attacker can generate bogus pseudonyms 
randomly in order to access a service or the like. There 
is a certain probability that the attacker might succeed. 
20 Therefore, it is desirable to further improve the 
security, i.e., to reduce the probability that an 
attacker is able to find the correct pseudonym, i.e., to 
forge a pseudonym. 

25 

SUMMARY OF THE INVENTION 

Thus, it is an object underlying the invention to provide 
a further enhanced security and privacy for a user of a 
30 pseudonym. 

This object is- solved by a method for generating a 
subscriber identifier, comprising the steps of 

generating an identifier base string based on 
35 encrypting a subscriber identifying value, 
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generating an integrity check value based on the 
identifier base string, and 

generating a subscriber identifier based on a 
concatenation of the identifier base string and the 
5 integrity check value. 

Alternatively, the above object is solved by a network 
control node for generating a subscriber identifier, 
comprising 

means for generating an identifier base string based 
10 on .encrypting a subscriber identifying value, 

means for generating an integrity check value based 
on the identifier base string, and 

means for generating a subscriber identifier based 
on a concatenation of the identifier base string and the 
15 integrity check value. 

■ Thus, according to the invention, an integrity check 
value. is added to the subscriber identifier. In this way, 
the subscriber identifier (which may be a . pseudonym) can 
20 be validated by only referring to the integrity check 

value. Namely, in ; case the .integrity check value is not 
' -correct, i.e., in case the integrity check fails, it can 
be determined that the subscriber identifier is 
.corrupted, i.e., a bogus subscriber identifier. 

25 

Hence, the processing required for validating a 
subscriber identifier or a pseudonym can be simplified 
such that a server can be more resistant against DoS 
attacks. 

30 

Furthermore, the additional integrity check value 
provides more protection against forgery. 

During generating the identifier base string, the 
35 subscriber identifying value may be binary coded, a 
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random number may be concatenated, and an encryption 
algorithm may be performed on the concatenated binary 
coded subscriber identifying value and the random number, 
for generating the identifier base string. 

5 

During generating the subscriber identifier, a base 64 
conversion may be performed on the concatenated 
identifier base string and the integrity check value* 

10 Moreover, a key indicator for indicating a used ciphering 
key may be concatenated to the value obtained by the 
encryption of the subscriber identifying value. 

Furthermore, upon an identifier type indicator for 
15 indicating that the identifier is a particular identifier 
type may be used, wherein during generating the 
identifier base string, the identity type indicator may 
be concatenated to the value obtained by the encryption 
of the subscriber identifying value. 

20 

During performing the encryption algorithm, a . defined 
length may be provided for the concatenated binary coded 
subscriber identifying value and the random number, 
wherein the most significant bits not used for the binary 
25 coded subscriber identifying value may be set to 1, 
respectively. 

During generating the integrity check value, a pseudo 
random function may be performed on the identifier base 
30 string using an integrity key. 

Moreover, a key indicator for indicating a used ciphering 
key and the integrity key used for generating the 
integrity check value may be used, wherein during 
35 generating the identifier base string the key indicator 
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may be concatenated to the value obtained by the 
encryption of the subscriber identifying value. 

The pseudo random function may be a keyed hash function. 

5 

The calculated result of the pseudo random function 
performing step may be truncated to a predetermined 
amount of bits. 

10 The subscriber identifying value may be an International 
Mobile Subscriber Identity. 

In addition, the invention also proposes a method for 
validating a subscriber identifier, wherein the 
15 subscriber identifier comprises a format including at 

least, an integrity check value, the method comprising the 
steps of ; 

detecting an integrity check value of a received 
subscriber identifier, 
20 performing an integrity check based on the integrity 

. ^ check value and the subscriber identifier, and 

rejecting the subscriber identifier in case the 
integrity check reveals that the subscriber identifier is 
not valid. 

25 

Alternatively, the invention proposes a network control 
node for validating a subscriber identifier, wherein the 
subscriber identifier comprises a format including at 
least an integrity check value, the network control node 
30 comprising 

means for detecting an integrity check value of a 
received subscriber identifier, 

means for performing an integrity check based on the 
integrity check value and the subscriber identifier, and 
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means for rejecting the subscriber identifier in 
case the integrity check reveals that the subscriber 
identifier is not valid* 

5 Thus, a invalid subscriber identity may be rejected only 
passed on the integrity check. Hence, a subscriber 
identity protected with an integrity check value can 
easily be validated without performing complicated 
decryption operations* 

10 

Moreover, in case the integrity check is successful, the 
subscriber identifier may be decrypted in order to 
perform a further detailed validation of the subscriber 
identity. 

15 

The network control node may be an AAA (Authentication, 
Authorization, and Accounting) server. 

Moreover, the invention proposes a computer program 
20 product, comprising software code portions for performing 
. the steps of the above method when the product is run on 
a computer. 

The computer program product may comprise a computer- 
25 readable medium on which said software code portions are 
stored. 

The computer program product may be directly loadable 
into the internal memory of the computer. 

30 



SHORT DESCRIPTION OF THE DRAWINGS 
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Fig. 1 shows a flowchart illustrating a process of 
generating a pseudonym according to an embodiment of the 
present invention, 

5 Fig. 2 shows a flowchart illustrating a process of 

validating a pseudonym according to the embodiment of the 
present invention, and 

Fig. 3 shows a flowchart illustrating a process of 
10 verification of a pseudonym by decrypting the pseudonym. 

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT OF THE 
INVENTION • . 

15 . • ■ 

In the following, the invention is described in detail by 
referring to a preferred embodiment. 

v According to the invention, an integrity check value 
20 (ICV) is added to a subscriber identifier which may be, 
e.g. , a temporary subscriber identifier or a pseudonym. 
In: particular,, this ICV is derived from the pseudonym in 
the form before it is subjected to the Base 64 
Conversion, as described in the introductory part of the 
25 application. This form is referred to as the identifier 
base. string or pseudonym base string in the following. 

The general procedure according to the embodiment is 
described by referring to the flowchart shown in Fig. 1. 

30 

In step SI, the pseudonym base string is generated based 
on a general subscriber identifying value, such as the 
IMSI. In step S2, an ICV (Integrity Check Value) of the 
pseudonym base string is produced. After this, in step S3 
35 the pseudonym base string and the integrity check value 
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are concatenated. In step S4, the final pseudonym is 
created based on the concatenated pseudonym base string 
and the ICV. In the simplest way f the concatenated result 
of step S3 can be used as the pseudonym. Preferably, 
5 however, a Base 64 conversion is performed on this result 
such that a printable string is obtained. 

Thus f the pseudonym obtained as described above has the 
following format: 

10 

Pseudonym = Base64 (Pseudonym base string||ICV) 

The ICV is obtained, for example, by adopting a pseudo 
random function (PRF) with an integrity key on the 
15 pseudonym base string: 

ICV = PRF (Integrity key, Pseudonym base string) 

In the following, the procedure according to the present 
20 embodiment is described in more detail. 



Preferably, the pseudonym according to the embodiment is 
in the following format: 

25 Pseudonym = Base64 (TAG||Key indicator]) 

AES (padding||BCD (IMSI) ((random number) (| ICV), 

where : 

Base64() = base 64 conversion 
30 I) = concatenation 

TAG is used to indicate that WLAN identity is 
pseudonym. 

Key indicator indicates used keys, 

AES = AES encryption algorithm in ECB mode, 
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Padding = the most significant bits will be padded by 
setting all the bits to 1, so that length of 
(padding||BCD(IMSI) ) is 64 bits. 
BCD() = binary coded decimal conversion. 
5 Random number = 64-bit (8 octets) random number. 

ICV = integrity check value. 

That is, the above-described pseudonym base string has 
the following format: 

10 

TAG||Key indicator||AES (padding||BCD ( IMSI ) ||random number) 

The pseudonym base string can be generated as described 
above, namely as described in document "WLAN - Pseudonym 
15 : Generation for EAP-SIM/AKA" 

<ftp: //ftp. 3gpp.org/tsg_sa/WG3_Security/TSGS3_26_Oxford/ 
Docs/PDF/S3-020654 .pdf>. 

In^the following, the generation of the ICV for the 
20 pseudonym is described. 

.... ICV = TRUN (PRF (integrity key, (TAG||Key indicator)! 

AES (padding||BCD(IMSI) ((random number) ) ) , where: 

25 TRUN = truncates calculated result of PRF to 96 bits. 

PRF(key, data) = pseudo random function e.g. keyed 
..hash function. 

Truncation is used, because according to standards, the 
30 NAI (Network Address Identifier) has maximum length of 72 
octets. If length of truncated ICV is 96 bits (n=96) , 
then length of pseudonym is 39 octets after base64 
encoding and realm part of NAI.can.be 33 octets. 
Truncation has advantages (less information on the hash 
35 result available to an attacker) and disadvantages (less 
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bits to predict for the attacker) . Preferably, different 
keys are used for the decryption and for the calculation 
of ICV, but the key indicator identifies both keys, such 
that the key indicator can be referred to as key pair 
5 indicator. 

For the pseudo random function, a keyed hash function may 
be used, as described above. Such a keyed hash function 
may be SHA-1 or MD5, for example. A keyed hash function 
10 such as SHA-1 is described in FIPS Publication 180-2: 

"Specifications for the Secure Hast Standard", August 1, 
2002, for example. Thus, the ICV is calculated using such 
a keyed hash function with a data integrity key. 

15 When using SHA-1, the above calculation of. the ICV is in 
detail as shown in the following procedure: 

ICV - TRUN (PRF (SHA-1 (TAG||Key indicator)! 

AES (padding||BCD(IMSI) [(random number) )||data 
20 integrity key|jpadding of SHA-1)), 

The format of the padding of SHA-1 is also specified in 
the above-referenced FIPS publication 18 0-2. The length 
of the data integrity key is 160 bits. 

25 

In this way, the thus determined integrity check value 
(ICV) is added into the pseudonym. Therefore, according 
to the present embodiment, validation of the pseudonym is 
more secure and resistance of DoS (Denial, of Service) 
30 attacks is better. 

The flowchart of Fig. 2 illustrates the procedure carried 
out when an Authenticator Node (e.g., an AAA server) 
validates a pseudonym received from a subscriber (e.g., 
35 WLAN client) . 
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In step Sll, the AAA server extracts the ICV from the 
pseudonym. This can be achieved by performing an inverted 
Base 64 conversion, such that the printable string (which 
5 was achieved during the pseudonym generation in step S4 
of Fig. 1) is converted into a series of digits again. 
Then, the ICV can be separated from the pseudonym base 
string. Thereafter, in step S12 the AAA server performs 
an integrity check by using the ICV on the pseudonym base 
10 string. That is, the AAA server calculates an ICV and 

compares the result with the received ICV (i.e., the ICV 
attached to the received pseudonym) . • 

If the result is positive, i.e., if the calculated ICV is 
15 equal to the received ICV, (yes in step S13) , the process 
advances to step S15. Here, further decryption can be 
: taken by using AES and the like in order to determine the 
original IMSI, if necessary. 

20 If, however, the result of the ICV check (step S12) is 
negative (i.e. , the calculated ICV does not match with 
the received ICV), that is, if the integrity of the 
pseudonym cannot be verified (no in step S13) , the 
process advances to step S14, in which the pseudonym is 

25 rejected/ After this, the process ends. 

That is f according to the present embodiment, an ICV 
. check may be sufficient in order to reject a bogus 

pseudonym. Hence, it is not necessary to carry out the 
30 full decryption on every pseudonym received. 

In the following, the full verification of the pseudonym, 
i.e. the procedure in step S15 is shortly described with 
reference to Fig. 3. In step S151, an AES decryption is 
35 performed. Then, three further check steps are performed. 
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In step S152 the padding is checked, in step S153 the MCC 
part of IMSI is checked, and in step S154 the MCN part of 
IMSI padding is checked. Only when all three checks are 
passed, the pseudonym is accepted (step S156) . If in any 
5 of the steps S152 to S154 the verification fails, the 
pseudonym is rejected (step S155) . 

In the following, the key manangement is described in 
short. As metnioned above, a 128-bit encryption key (for 

10 AES encryption) and a 160-bit data integrity key (for ICV 
calculation) is used for the generation of pseudonyms for 
a given period of time determined by the operator. Once 
that time has expired, a new key pair can be configured 
at all the WLAN AAA servers. The old key pairs shall not 

15 be used any longer for the generation of pseudonyms, but 
the AAA servers must keep a number of suspended (old) key 
pairs for the interpretation of received pseudonyms that 
were generated with those old key pairs. The number of 
suspended key pairs kept in the AAA servers (up to 16) 

20 should be set by the operator, but it must be at least 
one, in order to avoid that a just-generated pseudonym 
becomes invalid immediately due to the expiration of the 
key. 

25 Each key pair has associated a Key Pair Indicator value . : 
This value is included in the pseudonym, as described 
above, so that when a WLAN AAA receives the pseudonym, it 
can use the corresponding key pair for obtaining the IMSI 
(and thence the Username) . 

30 

It is noted that, if a pseudonym is sent to a WLAN client 
but then the user does not initiate new authentication 
attempts for a long period of time, the key pair used for 
the generation of that pseudonym will eventually be 
35 removed from all the WLAN AAA servers. If the user :■- 
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initiates an authentication attempt after that time, 
using that old pseudonym/ the receiving AAA server will 
not be able to recognise the pseudonym as a valid one, 
and it will request the permanent user identity from the 
5 WLAN client. Thence, in order to achieve that permanent 
user identities are used as little as possible,, it is 
recommended that the key pair is not renewed very often* 
The configuration of the key pairs could be done via O&M 
(Operation & Management) , for example. Handling of these 
10 secret keys, including generation, distribution and 
storage, should be done in a secure way. 

As described above, when performing DoS attacks, an 
attacker can send multiple EAP-Response/Identity messages 

15 with bogus pseudonyms. If the procedure according to the 
embodiment of the present invention is not used, the AAA 
server decrypts every pseudonym using AES algorithm, 
checks. padding and part of IMS I (MCC and MCN) and rejects 
bogus , pseudonyms. When the number of the EAP- 

20 Response/Identity messages is large, the operation load 

on the AAA server may get very large such that the normal 
function of the AAA server may be disrupted. 

If, .however, the present embodiment of the invention is 
25 used, the AAA server calculates only the ICV using a 

keyed hash algorithm for every pseudonym. Thus, it can 
■ reject bogus pseudonyms before decryption (step S14 in 
Fig. 2) . Keyed hash algorithms are faster than AES 
algorithm, so the AAA server can resist heavier DoS 
30 attacks. E.g. SHA-i is 50% faster than AES (Ri jndael) . and 
MD5 is over 3 times faster than AES, see 
<http : / /www . eskimo . com/~weidai/benchmarks . html> . 
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Moreover, also the detection of forgery is improved. In 
the following calculations, it is assumed that an 
attacker generates bogus pseudonyms randomly. 

5 If the pseudonym according to the present embodiment of 
the invention is not used, AAA checks padding, MCC and 
MCN to detect forgery* In worst case, the probability 
that an attacker can forge a random pseudonym is 1/2-24, 
because there are only 3 octets (24 bits, namely 3*4 bits 

10 for MCN, 2*4 bits for MCC and 1*4 bits padding) to ensure 
the validity of pseudonym. Namely, as described above, 
for a valid pseudonym, only MCN, MCC and padding is 
checked* It is noted that here "the worst case" means 
that IMSI cannot be longer than 15 digits. If IMS I is 

15 shorter, then there are more bits to ensure the validity 
of pseudonym (padding is longer) . 

The probability that an attacker can forge a pseudonym 
corresponding to a certain IMSI is 1/2 A 64, because there 
20 are 8 octets (64 bits, length of the compressed IMSI 

having 60 bits and 4 bits padding) to ensure validity of 
pseudonym. 

If, however, the pseudonym according to the present 
25 embodiment of the invention is used, AAA server checks 
ICV, padding, MCC and MCN to detect forgery. In worst 
case, the probability that an attacker can forge a random 
pseudonym is 1/2-96 * 1/2-24 = 1/2-120, when ICV is 
truncated into 96 bits. The probability that an attacker 
30 can forge a pseudonym corresponding certain IMSI is 
1/2^96 * 1/2^64 = 1/2-160. 

Thus, according to the invention, a more reliable 
detection of bogus/forged pseudonyms is achieved, and a 
35 higher resistance against DoS attacks can be obtained. 
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It should be- understood that the above description and 
accompanying figures are merely intended to illustrate 
the present invention by way of example only. The 
5 described embodiment of the present invention may thus 
vary within the scope of the attached claims. 

For example , according to the embodiment described above , 
the pseudonym base string (identifier base string) is 
10 generated such that is has the following format: 

TAG||Key ihdicator||AES (padding||BCD (IMSI) [(random number) 

The .invention is not limited onto this particular format . 

15 Namely, the order of the different fields can be changed 
arbitrarily. Moreover, some of the fields can be .omitted. 
For example, if the used ciphering key is negotiated in 
another way (for example, if it is determined beforehand 
that a particular AAA server only use one particular 

20 key)-, the Key Indicator field may be y omitted. 

.Furthermore, if it is not considered necessary to 
indicate that this particular subscriber identifier is a 
pseudonym, also the TAG field may be omitted. In the same 
way, also the padding or the random number may be 

25 omitted, in order to simplify the processing in the AAA 
server. In addition, alternative coding procedures 
(instead of BCD) and encryption algorithms (instead of 
AES) may be adopted. 

30 Furthermore, the procedure according to the embodiment 
described above is situated in a WLAN environment. 
However, also- other suitable networks may be employed, as 
long as they permit the use of temporary identifiers or 
pseudonyms. 

35 
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Moreover , the above embodiment is directed to the 
establishment of a pseudonym. However, the invention is 
not limited thereon. For example, also temporary or 
permanent subscriber identifiers may be generated using 
5 the procedure according to the present invention. Namely, 
for example, DoS attacks can also be performed by using 
bogus subscriber identifiers (which may be known) instead 
of pseudonyms. When adopting the procedure according to 
the invention, it is also sufficient to calculate the ICV 
10 only, without the necessity to perform a full decryption. 

Moreover, according to the embodiment two different keys 
are using for encrypting the pseudonym base string on the 
one hand and for the ICV on the other hand. However, it 
15 is also possible to use identical keys in order to 

simplify the procedure, also preferably two different 
keys should be used in order to enhance security. 

In addition, according to the above embodiment, the ICV 
20 is truncated to 96 bits. This, however, is only an 

example and the ICV may be truncated to any other number 
of bits, for example depending on the number of bits 
available in the subscriber identifier. If possible, also 
no truncation at all may be performed. 

The invention proposes a method for generating a 
5 subscriber identifier, comprising the steps of generating 
an identifier base string based on encrypting a 
subscriber identifying value (SI), generating an 
integrity check value based on the identifier base string 
(32) , and generating a subscriber identifier based on a 
10 concatenation of the identifier base string and the 
integrity check value (S3, S4) . The invention also 
proposes a corresponding network control node. 
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CLAIMS 

1. A method for generating a subscriber identifier, 
5 comprising the steps of 

generating an identifier base string based on 
encrypting a subscriber identifying value (SI), 

generating, an integrity check value based on the 
identifier base string (S2) , and 
10 generating a subscriber identifier based on a 

concatenation of the identifier base string and the 
integrity check value (S3, S4.) . 

2. The method according to claim 1, wherein the 

15 identifier base string generating step comprises the 
steps of 

binary coding of the subscriber identifying value, 
concatenating a random number, and 
performing an encryption algorithm on the 
20 concatenated binary coded subscriber identifying value 

and the random number, for generating the identifier base 

string, 

3. The method according to claim 1, wherein in the 
25 subscriber identifier generating step, a base 64 

conversion is performed on the concatenated identifier 
base string and the integrity check value. 

4. The method according to claim 1, further comprising 
30 the step of using a key indicator for indicating a used 

ciphering key, 

wherein in the identifier base string generating 
step, the key indicator is concatenated to the value 
obtained by the encryption of the subscriber identifying 
35 value. 
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5. The method according to claim 1, further comprising 
the step of using a identifier type indicator for 
indicating that the identifier is a particular identifier 
5 type, wherein in the identifier base string generating 
step, the identity type indicator is concatenated to the 
value obtained by the encryption of the subscriber 
identifying value. 

10 6. The method according to claim 2, wherein., in the 

encryption algorithm performing step, a defined length is 
provided for the concatenated binary coded subscriber 
identifying value and the random number, wherein the most 
significant bits not used for the binary coded subscriber 

15 identifying value are set to 1, respectively. 

7 . . The method according to claim 1,. wherein the 
integrity check value generating step comprises the step 

Of ' • ; 

20 * performing a pseudo random function on the 

identifier base string using an integrity key. 

8. The method according to claim 7, further comprising 
the step of using a key indicator for indicating a used 

25 ciphering key and the integrity key used for generating 
the integrity check value, 
: . wherein in the identifier base string generating 

step, the key indicator is concatenated to the value 
, obtained by the encryption of the subscriber identifying 
30 value, , . 

9. The method according- to claim 7 , wherein the pseudo 
: .random function is a keyed hash function. 
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10. The method according to claim 7 , wherein the 
calculated result of the pseudo random function 
performing step is truncated to a predetermined amount of 
bits. 

5 

11. The method according to one of the claims 1 to 10, 
wherein the subscriber identifying value is an 
International Mobile Subscriber Identity. 

10 12. A method for validating a subscriber identifier, 
wherein the subscriber identifier comprises a format 
including at least an integrity check value, the method 
comprising the steps of 

" detecting an integrity check value of a received 
15 subscriber identifier (Sll) , 

performing an integrity check based on the integrity 
check value and the subscriber identifier (S12) , and 

rejecting the subscriber identifier (S14) in case 
the integrity check reveals that the subscriber 
20 identifier is not valid. 

13. The method according to claim 12 , further comprising 
the step of 1 

decrypting the subscriber identifier (S15; S151- 
25 S156) in case the integrity check is successful. 

14. A network control node for generating a subscriber 
identifier, comprising 

means for generating an identifier base string based 
30 on encrypting a subscriber identifying value, 

means for generating an integrity check value based 
on the identifier base string, and 

means for generating a subscriber identifier based 
on a concatenation of the identifier base string and the 
35 integrity check value. 
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15. The network control node according to claim 14, 
wherein the identifier base string generating means 
comprises 

5 means for binary coding of the subscriber 

identifying value, 

means for concatenating a random number to the 
binary coded subscriber identifying value, and 

means for performing an encryption algorithm on the 
10 concatenated binary coded subscriber identifying value 
and random number, for generating the identifier base 
string. 

16. The network control node according to claim 14, 
15 wherein the, subscriber identifier generating / means is 

adapted to perform a base 64 conversion on t'he 
concatenated identifier base string and the integrity 
check value. 

20 17. The network control node according to claim 14, 
wherein the subscriber identifier generating means is 
adapted to. concatenate a key indicator for indicating a 
used ciphering key to -the value obtained by the 
'encryption ot the subscriber identifying value. 

25 

18. The network control node according to claim 14, 
wherein the subscriber identifier generating means is 
adapted to concatenate a identifier type indicator, for 
indicating that the identifier is a particular identifier 

30 type, to the value obtained by the encryption of the 
subscriber identifying value. 

19, The network control node according to claim 15, 
wherein a defined length is provided for the concatenated 

35 binary coded subscriber identifying value and the random 



number and the encryption algorithm performing means is 
adapted to set 1 for the most significant bits not used 
for the binary coded subscriber identifying value. 

20. The network control node according to claim 14 , 
wherein the integrity check value generating means is 
adapted to perform a pseudo random function on the 
identifier base string using an integrity key. 

21. The network control node according to claim 14, 
wherein the subscriber identifier generating means is 
adapted to concatenate a key indicator for indicating a 
used ciphering key and the integrity key used for 
generating the integrity check value to the value 
obtained by the encryption of the subscriber identifying 
value . •' - ' 

22. The network control node according to claim 20, 
wherein the pseudo random function is a keyed hash 
function . 

23. The network control node according to claim 20/ 
wherein the integrity check value generating means is 
adapted to truncate the calculated result of the pseudo 
random function performing step to a predetermined amount 
of bits . 

24. The network control node according to one of the 
claims 14 to 23, wherein the subscriber identifying value 
is an International Mobile Subscriber Identity. 

25. A network control node for validating a subscriber 
identifier, wherein the subscriber identifier comprises a 
format including at least an integrity check value, the 
network control node comprising 
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means for detecting an integrity check value of a 
received subscriber identifier, 

means for performing an integrity check based on the 
integrity check value and the subscriber identifier, and 
5 means for rejecting the subscriber identifier in 

case the integrity check reveals that the subscriber 
identifier is not valid. 

26. The network control node according to claim 25, 
10 further comprising means for decrypting the subscriber 

identifier in case the integrity check is successful. 

27. The network control node according to one of ; the 
claims 14 to 26, wherein the network control node is an 

15 AAA (Authentication, Authorization, and Accounting) 
server. 

28. .A computer program product, comprising software code 
portions for performing the steps of any one of claims 1 

20 to 13 when the product, is run on a computer. 

29. The computer program product according to claim 28, 
wherein said computer program product comprises a 
computer-readable medium on which said software code 

25 portions are stored. 

30. The computer program product according to claim 28, 
wherein said computer program product is directly 
loadable into the internal memory of the computer. 

30 
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ABSTRACT 

The invention proposes a method for generating a 
5 subscriber identifier, comprising the steps of generating 
an identifier base string based on encrypting a 
subscriber identifying value (SI) , generating an 
integrity check value based on the identifier base string 
(S2), and generating a subscriber identifier based on a 
10 concatenation of the identifier base string and the 
integrity check value (S3, S.4) . The invention also 
proposes a corresponding network control node. 



(Fig. 1) 



